CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30266 – Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
https://notcve.org/view.php?id=CVE-2024-30266
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1. wasmtime es un tiempo de ejecución para WebAssembly. La versión 19.0.0 de Wasmtime contiene una regresión introducida durante su desarrollo que puede provocar que un módulo WebAssembly invitado cause pánico en el tiempo de ejecución del host. • https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664 https://github.com/bytecodealliance/wasmtime/issues/8281 https://github.com/bytecodealliance/wasmtime/pull/8018 https://github.com/bytecodealliance/wasmtime/pull/8283 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41880 – Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
https://notcve.org/view.php?id=CVE-2023-41880
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbox. • https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd https://github.com/bytecodealliance/wasmtime/commit/8d7eda15b0badcbea83a7aac2d08f80788b59240 https://github.com/bytecodealliance/wasmtime/pull/6372 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh#:~:text=Mailing%20list%20announcement • CWE-193: Off-by-one Error •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30624 – Wasmtime has Undefined Behavior in Rust runtime functions
https://notcve.org/view.php?id=CVE-2023-30624
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues. The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. • https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7 • CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2023-26489 – Guest-controlled out-of-bounds read/write on x86_64 in wasmtime
https://notcve.org/view.php?id=CVE-2023-26489
wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-controlled load/store operation could read/write addresses up to 35 bits away from the base of linear memory. Due to this bug, however, addresses up to `0xffffffff * 8 + 0x7ffffffc = 36507222004 = ~34G` bytes away from the base of linear memory are possible from guest code. This means that the virtual memory 6G away from the base of linear memory up to ~34G away can be read/written by a malicious module. • https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.static_memory_guard_size https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.static_memory_maximum_size https://github.com/bytecodealliance/wasmtime/commit/63fb30e4b4415455d47b3da5a19d79c12f4f2d1f https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8 https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-27477
https://notcve.org/view.php?id=CVE-2023-27477
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This codegen bug has been fixed in Wasmtiem 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions. • https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw https://github.com/webassembly/simd https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ • CWE-193: Off-by-one Error •